ghsa-mmhf-mx7h-v77h
Vulnerability from github
Published
2024-05-19 09:34
Modified
2024-06-27 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_skbmod: prevent kernel-infoleak

syzbot found that tcf_skbmod_dump() was copying four bytes from kernel stack to user space [1].

The issue here is that 'struct tc_skbmod' has a four bytes hole.

We need to clear the structure before filling fields.

[1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 copy_to_iter include/linux/uio.h:196 [inline] simple_copy_to_iter net/core/datagram.c:532 [inline] __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline] netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x2c4/0x340 net/socket.c:1068 __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242 __do_sys_recvfrom net/socket.c:2260 [inline] __se_sys_recvfrom net/socket.c:2256 [inline] __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75

Uninit was stored to memory at: pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253 netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317 netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351 nlmsg_unicast include/net/netlink.h:1144 [inline] nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610 rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741 rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline] tcf_add_notify net/sched/act_api.c:2048 [inline] tcf_action_add net/sched/act_api.c:2071 [inline] tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613 netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361 netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 _syssendmsg+0x877/0xb60 net/socket.c:2584 _sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75

Uninit was stored to memory at: __nla_put lib/nlattr.c:1041 [inline] nla_put+0x1c6/0x230 lib/nlattr.c:1099 tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256 tcf_action_dump_old net/sched/act_api.c:1191 [inline] tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227 tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251 tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628 tcf_add_notify_msg net/sched/act_api.c:2023 [inline] tcf_add_notify net/sched/act_api.c:2042 [inline] tcf_action_add net/sched/act_api.c:2071 [inline] tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netli ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-35893"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-19T09:15:10Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbmod: prevent kernel-infoleak\n\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\n\nThe issue here is that \u0027struct tc_skbmod\u0027 has a four bytes hole.\n\nWe need to clear the structure before filling fields.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n  instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n  copy_to_user_iter lib/iov_iter.c:24 [inline]\n  iterate_ubuf include/linux/iov_iter.h:29 [inline]\n  iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n  iterate_and_advance include/linux/iov_iter.h:271 [inline]\n  _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n  copy_to_iter include/linux/uio.h:196 [inline]\n  simple_copy_to_iter net/core/datagram.c:532 [inline]\n  __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n  skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n  skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n  netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n  sock_recvmsg_nosec net/socket.c:1046 [inline]\n  sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n  __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n  __do_sys_recvfrom net/socket.c:2260 [inline]\n  __se_sys_recvfrom net/socket.c:2256 [inline]\n  __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n  pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n  netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n  netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n  nlmsg_unicast include/net/netlink.h:1144 [inline]\n  nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n  rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n  rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n  tcf_add_notify net/sched/act_api.c:2048 [inline]\n  tcf_action_add net/sched/act_api.c:2071 [inline]\n  tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n  rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n  netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n  rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n  netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n  netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n  netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n  sock_sendmsg_nosec net/socket.c:730 [inline]\n  __sock_sendmsg+0x30f/0x380 net/socket.c:745\n  ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n  __sys_sendmsg net/socket.c:2667 [inline]\n  __do_sys_sendmsg net/socket.c:2676 [inline]\n  __se_sys_sendmsg net/socket.c:2674 [inline]\n  __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n  __nla_put lib/nlattr.c:1041 [inline]\n  nla_put+0x1c6/0x230 lib/nlattr.c:1099\n  tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n  tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n  tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n  tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n  tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n  tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n  tcf_add_notify net/sched/act_api.c:2042 [inline]\n  tcf_action_add net/sched/act_api.c:2071 [inline]\n  tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n  rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n  netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---",
  "id": "GHSA-mmhf-mx7h-v77h",
  "modified": "2024-06-27T12:30:46Z",
  "published": "2024-05-19T09:34:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35893"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.